Bounces, AutoReplies, and You

Over 150 plugins were closed during WCUS due to auto replies, bounces, and confusing plugin ownership.

In our plugin developer expectations, we say this:

It is the responsibility of the plugin developer to ensure their contact information on WordPress.org is up to date and accurate, in order that they receive all notifications from the plugins team. Auto-replies and emails that route to a support system are not permitted as they historically prevent humans from addressing emails in a timely fashion.

Your email has to work. If we can’t get a hold of you, we’re going to either remove you from your plugin or, if you’re the owner, close it. This is especially true if we can’t figure out who’s meant to own a plugin, or the ‘official’ company account is bouncing.

If your email sends an auto-reply, or a partial bounce (that is, you have a group email and one address in the group bounces) we ALWAYS email you with as much detail as needed to resolve the issue.

Since we sent out a mass email in October, pre 5.0, and another last week, we had a 50 day window for many people to correct the issues.

Let’s hit up some of the reasons why we do this:

Auto-Replies are a bad developer practice

Two reasons, besides the fact that they’re spammy, that a developer account should never auto-reply:

1. Security
2. Communication

Security is the biggest. An auto-reply generally comes from a SUPPORT account. A support account should NEVER be receiving our emails because they’re likely to be related to insecurity in your plugins. We don’t 0-day you, ever, that would be cruel. We want you to fix things ASAP, though, for your users, and if support gets that message, now you have more people, who may not understand not to tell customers about the problems. Also we have no way to be sure the developer got the email. You’re trusting support to escalate properly every time.

Communication is obviously related. We’ve got to be able to get a hold of you, and putting layers between us and you isn’t going to help.

Auto-replies cause developers to not get notifications

We actually DO inform everyone about the status of auto-replies. Once we determine what plugin causes the reply, we email everyone with commit access (i.e. your developers) that there is a problem and to please resolve it. The fact that a high number of you aren’t seeing those emails is indicative of the problem.

Developers aren’t support

For the majority of plugins, this is actually not true. That is, most people are developers and their own support. But those aren’t the people who make auto-replies. The people who have auto-replies tend to be companies. And for a company, there’s a reason they want the auto-replies for people contacting support. That’s perfectly sensible.

The disconnect here is that we expect the people who have commit access to be developers. We

Thankfully we have a solution for you! You can add your support users as Support Representatives for your plugin!

WordPress isn’t your user

All of that said, having an auto-reply on the account you use here to manage your plugin and support your users creates a poor experience. People can’t email you from WordPress.org and while you can chose to get emails for all new posts in your plugin’s forum, having that sent to an auto-reply is rather odd. Why would you want to auto-reply to an automated notification email?

Shared accounts are dangerous

This goes back to security. Don’t share accounts. NEVER share accounts. Give developers individual access to commit code. Add support reps individually. Doing this gives you an easy way to track who commits what code, who answered what question, and you can now hold them accountable for their individual actions! Got one support tech who goes off the rails? You can explain that it was one person and you’re handling it. Or the forums team can help you block their account if needed.

Bounces are harder to unravel than you think

Sometimes a bounce is obvious. If a user no longer exists, we can close the plugin. If a domain no longer exists, you’d think we could close it, but what if that happened because a company renamed themselves and forgot to update the emails? And what about when the bounce is from the domain, but doesn’t say WHICH user account bounced? It takes time.

We know a handful of people have been upset to find out we closed their plugins instead of trying to sort out who actually should own the plugin when the email bounced. We are sorry about that, but it was a case of prioritizing and expediency. It’s much more efficient for us to close the plugin and let you contact us than to spend a couple hours untangling who represents a company and is legally responsible for managing a plugin.

Questions?

As always, if your plugin was closed and you don’t know why, email us with a link to the plugin and ask. We’d rather have them up and active and usable too!

#reminder #email

Reminder: Plugins are closed if emails bounce

We emailed out the ‘5.0 is coming’ email and received a record high number of bounces. Over 2000. Normally we get a couple hundred, mixed in with vacation notifications (which we ignore) and auto-replies.

When your email bounces, we close your plugin because we no longer have a way to communicate with you. We even email you to tell you, just in case it’s a one-off glitch. If your email auto-replies, you get a warning. If you don’t fix this, the next auto-reply gets you closed. There are a couple exceptions to this, like the person who’s system got stuck in a loop and emailed us back 6 times for one plugin.

  • If the email was the owner of the plugin, and there’s no clear secondary owner, the plugin’s closed
  • If the email was the owner but we can tell another account is the co-owner, we transfer the plugin and email the new owner to explain
  • If the email is a committer, their account is removed and the owner emailed to explain why

Why so many?

But this number being so high was astounding to us. Like I said, it’s 10x the norm. In looking into it, we’ve determined the following facts led to this number:

  • Yahoo will delete your email account if you don’t use it for a year
  • Google reserves the right to deactivate your email after 9 months of inactivity
  • Free Windows Live Hotmail accounts become inactive if you don’t sign in for more than 270 days
  • Google email groups default to not allowing external emails.

My guess is that with GDPR being a thing, many email servers have gone ahead and deleted things. Also I suspect they changed the defaults on Google email groups, since a few of these accounts have been around for a while.

How do I get my plugin reopened?

First check that your user’s email is correct. If not, fix that. Then email us and ask if your plugin can be reopened. Most everyone has been reopened immediately. The stragglers are due to ownership issues. This is why we’re so pedantic about official accounts owning plugins. If the owner bounces but other people from the company have official accounts as committers, we’ll transfer the plugin.

What can I do to prevent this from happening?

The simple answer is “Make sure your email is up to date and functional.”

  • Add wordpress.org to your email’s white-list so you always get our emails
  • If you have a plugin that is a company plugin, make sure that the plugin owner’s email us up to date, and not an auto-reply
  • If your email is an alias, make sure everyone who gets the copy of the email is an active users
  • If you use a group/mailinglist account for your plugin, make sure wordpress.org can email it (groups need to allow ‘world’ access to send to)

#email, #reminder

When emailing zips please make sure your email…

When emailing zips, please make sure your email client and email service provider allow this.

Increasingly, we have seen people testifying that they emailed us a file with a zip, but we never receive it. In doing some research, we’ve found that mail providers are now silent-killing large emails! While the settings can be overwritten, please keep this in mind when you email people your zips.

If you have the ability to check your mail logs, you may be rudely surprised. I know I was.

#email, #notice

Reminder: Your Email Account Must Be Valid

Since the only way we have to get in touch with plugin authors is their emails, we’re going to be enforcing that you have a valid email that goes to a human being for you plugins.

This simple statement covers a multitude of situations but to clarify, we’re talking about the email associated with the user accounts that have commit access to your plugins.

Go to https://wordpress.org/plugins/YOUR-PLUGIN/admin/ and look at the people listed under Committers. Those accounts are who we email when there’s an issue with a plugin, or when we’re alerting you to new WordPress updates. Those emails must go to real human beings. It can be a shared email box (goodness knows plugins is a shared email box) but real people have to read those emails because without that, we cannot communicate with you.

We strongly suggest you whitelist plugins@wordpress.org

The following email situations may result in your plugin being closed if we can’t find a way to communicate with you:

Invalid Emails

If your email bounces, your plugin gets closed. We can only assume that a dead email means you’re done with things, and since we have no way to contact you, your plugin can only be considered unsupportable. If you notice your plugin is closed and you didn’t get an email from us, check your account’s email. If that’s not right, that’s probably why.

Auto-Replies

If your email has an auto-reply, such as the sort that goes to a support ticket generator, stop it. This makes it nigh impossible for us to communicate with you, we can never tell if a human has read the email, and we get a mail box filled with auto-replies which means you’re the reason plugin reviews are backlogged. We will normally email you one sternly worded warning about this. If it keeps up, your plugin may be closed.

2-Step Verification

If your email auto-replies and asks people to click or reply in a special way to ensure our email gets to you, guess what? Half the time that doesn’t work. We often get expired tokens because it takes us more than 24 hours to get through all the emails in our queue, and once that happens we have no way to get our email to you.

Deceased Authors

This is a touchy subject so I apologize in advance. If a plugin author has died and we can verify this, we remove their account’s access to their plugins (and usually reset their passwords to something random). This is in the interest of security, as doing so will prevent any possible issues if their account is hacked. We do not close the plugins. If there are co-committers, they will be notified. Otherwise the plugin will simply remain in place. Taking over those plugins is a similarly touchy subject, and priority will be given to their coworkers or close friends/family who are also WordPress developers.

#email, #reminder, #repository, #security

AutoReply Sucks

Did you know we have no auto-replies at all sent from WordPress plugins?

Every single email, even the predefined ones, are written and picked and sent by hand. Even the one that goes out to all 22,573 user accounts with commit access to a plugin.

But you know what happens when we send out that nice reminder to test on WordPress 4.4?

We get a few hundred auto-replies from support systems.

THIS IS A GLOBAL REMINDER

Please change the address on your WordPress.org forums account to one that does not go to an automated support system. We need to be able to communicate directly with plugin authors, and having automated responses don’t help us much.

THIS IS A REQUIREMENT. If we continue to receive automated responses from your support system, we will have to shut down your plugin and remove it from the WordPress.org directory.

We require that we have the ability to contact you about updates on a regular basis. If we also get automated responses, then this eats up our time, and is a problem for us.

Please do whatever is necessary to STOP these automated responses. We would prefer that you use an email address on the forums that goes to actual people, not into a support system. Our forums send emails for all sorts of reasons, and automated responses eat up our bandwidth needlessly, since they don’t go anywhere.

Basically it’s this: If we can’t get in touch with you, we can’t host your plugin.

Please whitelist pluginsATwordpress.org and please exclude us from your auto-replies.

(A quick note – A personal autoreply, like “I’m at a wedding and won’t be back until December 3rd” is not the same thing. Those are fine!)

#email, #repository

Regarding Offers to “Buy” Plugins

Did you get this email:

We’re reaching out to the WordPress community, looking for
individuals/companies like yourself who are keen to explore the opportunity
of a joint venture/sale of their WordPress plugin/s.

If you are interested in discussing your plugin and what we’re offering
please fill out the form on the attached website, and we will be in contact
with you.

This was a blast email sent to a few hundred people by an unknown person.

Please delete it. It’s not from anyone we can trace back to the WordPress community, and selling your plugins will likely end with your users being highly upset that the changes in the plugin are not what they wanted. At the best, you’ll end up on a spam list.

If you are a company looking to ‘buy’ plugins please don’t use tactics like this. It makes you look like a sleazy sort of person, whom no one would want to do business with. Purchase plugins by directly talking to people who have made a plugin you had a need for.

If you do sell your plugin (or give it away to someone else), please make sure the new owners understand all the guidelines of the repository. Should they violate our terms the plugin will be removed, and we may not give it back depending on the level of the violation. Whomever has commit access to a plugin has the ownership and responsibility of it’s behavior for users. Spamming, inserting tracking data, and adding junk features are the fastest way to ruin your plugin.

We advocate only giving your plugin to people you personally have vetted, and that you trust with being responsible with your code and your users.

#email, #warning